3. I have logon Windows Domain at EDB office. Why does it still prompt me to logon when I try to access?

Ans: By default, you can automatically logon EDB Portal via your domain username and password. However, if a logon box is prompted, please verify the following setting on your Internet options from the control panel. Highlight Local Intranet and click the Custom Level, then ensure that the "Automatic logon only in Intranet zone" is selected.

4. How can I logon the EDB Portal on behalf of other accounts, for example: logon with my team account instead of my domain account?

Ans: By default, you will logon EDB Portal on behalf of your domain account. If you would like to logon on behalf of other account, you have to enable your browser to prompt the logon box as follow:

Go to the Internet options from the control panel. Highlight Local Intranet and click the Custom Level, then select that the "Prompt for user name and password".

Then a logon box will prompt for your next logon, you can logon on behalf of other account.

Ans: It supports popular browsers including Chrome, Internet Explorer, Microsoft Edge etc. However, to maintain the SSO experience at EDB Office, Firefox is required to apply the settings with the following steps.

i. Start Firefox and in the address bar, type about:config.
ii. At the prompt that warns to proceed with caution, agree to continue.
iii. Search for each setting in the following table and provide the value indicated.

Note: These steps are not required if you access EDB Portal via VPN.

Setting	Value
network.negotiate-auth.delegation-uris	auth-sts.edb.gov.hk
network.automatic-ntlm-auth.trusted-uris	auth-sts.edb.gov.hk
network.automatic-ntlm-auth.allow-proxies	True
network.negotiate-auth.allow-proxies	True

Ans: If you access EDB Portal via Internet, you must logon the VPN first. You can simply access via https://portal.edb.gov.hk, and it will redirect to VPN logon page. You have to pass the 2 factors authentication.

Use your DEFAULT BROWSER to logon EDB Portal.

Please remember to logout both EDB Portal & VPN at top right corner of Sign Out option stated in Question 2.

Note: Direct Access users have the same user experience as at EDB office and do NOT require VPN access.

Ans: Your workstation or notebook must have the following pre-requisite before you can connect to the VPN:

i. Install the VPN client software ii. Install the Government Departmental Portal Certificate

To ease your installation effort on Windows, you can simply download, unzip and run the VPN packaging software to accomplish all the required tasks.

For download software package: https://intranetsup.edb.gov.hk/irooms/help/edbvpn_setup_v3.zip

For details, please refer to the installation guideline as below: https://intranetsup.edb.gov.hk/irooms/help/User_Guideline_for_VPN_Access.pdf

Note: You must install the VPN client by the VPN Packaging Software

Ans: Same as at EDB Office, you must click the sign-out option at the top right corner of EDB Portal Home. Remember to close all the browser windows after your successful logout.

Ans: You must logon VPN first before you access any EDB Portal applications via Internet (https://portal.edb.gov.hk). In other words, all portal resources, except school mail systems, require VPN to access via Internet.

Ans: Below is the support version of Windows & Web browser for your reference.

Operating System	Browser Version
Windows 8.1 Windows 10	Internet Explorer 11
	Microsoft Edge
	Chrome 70 or later
	Firefox 73 or later

For Windows 10 1803 in particular, KB4103721 is required for VPN to work properly.

For details: https://support.microsoft.com/en-us/help/4103721/windows-10-update-kb4103721

Please ensure that the latest patch has been applied on your Windows.

Ans: Yes, it supports with Mac OS to access EDB Portal. You need to logon VPN before we can access any EDB resources. You are required to install both VPN clients & DP certificate on your MAC for VPN connection. Please refer to the installation guideline for details. https://intranetsup.edb.gov.hk/irooms/help/VPN_mac.pdf

12. Any additional steps should I do if I use Firefox to logon EDB Portal via VPN?

Ans: Yes, since our VPN packaging software will install the DP certificate into windows certificate store, Firefox would read its own certificate store instead. In other words, it is required to install the certificate manually by yourself:

i. Go to VPN portal: https://intranetsup.edb.gov.hk/irooms/help/vpnforportal.html
ii. Right click 2. RootCA Certificate and choose “save as” to download the certificate.
iii.Open Firefox, go to Options, Security & Privacy
iv. Go to Certificate Section, click view Certificate
v. Then click import, check the box: “Trust this CA to identify websites.” and click OK. The CA certificate will be imported successfully.

Ans: You can change your password by clicking the option at the top right corner of EDB Portal Home.

Ans: Again, you can access EDB Portal via VPN. Mobile app is required to install on your mobile for VPN access. Mobile app has version for both iOS and Android. Please refer to the installation guideline for details.

https://intranetsup.edb.gov.hk/irooms/help/VPN_mobile.pdf

Ans: It is reported that your workstation may fail to connect the VPN if your workstation is installed with some endpoint protection software such as Kaspersky 10 SP1 MR3. However, the problem is resolved after it is upgraded it to Kaspersky 10 SP2 MR3.

16. Why do I fail to logon Departmental Portal applications such as ePayroll/eLeaeve although I have successfully logon the VPN?

Ans: It is probably your workstation failed to install the certificate. You may verify whether the DP certificate is installed properly on your workstation highlighted in blue as below.

1. Click Start, type certmgr.msc in the search field
2. Check whether the certificate "Root CA 256" exists

Such problem could be avoided if you deploy your VPN client via the packaging software. In such case, you are required to uninstall the VPN software (Please refer to Q18 for details) and then install back the VPN via our VPN package.

17. Why do my e-Leave just popup and disappear when I click the link via EDB Portal?

Ans: e-Leave may be blocked by the popup blocker of browser. It is required to configure your browser under the following steps to enable e-Leave access:

For Chrome:

1. Click the settings from the Google Chrome menu (Icon with the three dots in the upper right corner)

2. Select Privacy and Security at the left panel
3. Click the Site Settings button.

4. Select Pop-ups and redirects.

5. To enable pop-ups on specific sites, check Blocked (recommended) Click Add next to Allow and enter the URL: https://dsp.edb.ccgo.hksarg & https://dp.edb.ccgo.hksarg

6. If it doesn’t work, you may try to disable the pop-up blocker uncheck the Blocked box circled in blue.

For Microsoft Edge:

1. Click the settings from the New Edge menu (Icon with the three dots in the upper right corner)
2. Select Site Permissions at the left panel.
3. Select Pop-ups and redirects.

4. Move the Block toggle to On. Click Add and enter the URL: https://dsp.edb.ccgo.hksarg & https://dp.edb.ccgo.hksarg

For Internet Explorer

1. Click the tools menu from top right corner and select Internet Options.

2. Select the Privacy tab.
3. Click Setting for the Pop-up Blocker.

4. Type https://dsp.edb.ccgo.hksarg & https://dp.edb.ccgo.hksarg to the allowed web site & click Add then Close.

For Firefox

1. Open Firefox browser. Click the Tools menu (the icon of three horizontal lines in the top right of the browser window). Select Options.
2. Select the Privacy and Security Panel.
3. Under the Permission Section, click the Exceptions at the Block pop-up windows.

4. Add https://dsp.edb.ccgo.hksarg & https://dp.edb.ccgo.hksarg as the allowed web sites and save changes.

Ans: Go to Control Panel -> Program and Features. There you can remove your VPN by removing the program “BIG-IP Edge Client Components (All Users)” circled in red as below.

19. When I try to connect the VPN, the following screen is prompted. What should I do?

Ans: No panic. The browser session may not terminate properly during the last logon. Please click “here” and you can logon the VPN again.

Ans: There may be several possibilities, such as incompatibility of OS (Q.11) or software (Q.15) with VPN clients. Another possibility is that the VPN adapters of Windows are corrupted. It occasionally happens on the Windows 10 version prior to 1903, such as 1803, 1809, etc. You can fix this by the following steps:

i. Run “devmgmt.msc” and click “OK”

ii. Device Manager will prompt. Under Network Adapters, uninstall all adapters starting with “WAN Miniport” by right click and select uninstall

iii. Once the uninstall is complete, go to the menu bar and select “Scan for Hardware Changes” under “Action”. Those adapters will reinstall automatically without restarting your PC.

21. Will all traffic be redirected to the EDB network after the VPN is connected?

Ans: No. Split tunnelling is deployed for our VPN solution. In other words, only traffic which access EDB DP & CCGO resources will be redirected to the EDB network via VPN. User can still browse internet or access any resources on your own network even when the VPN is connected.

Ans: Use passwords with at least 8 characters composed of ALL of the following categories:

Upper case alphabet (A..Z)
Lower case alphabet (a..z)
Digits (0-9)
Special characters (e.g. !@$)

The last 8 passwords must not be re-used.

23. Why do I fail to launch e-Payroll/e-Leave, even I have successfully connected via my VPN app on Android?

Ans: For Android 9 or newer, you are required to turn off Private DNS by go to the network settings -> Connections -> Private DNS and turn it off.

Ans: It is simple to register two factor authentication by going to VPN Portal and click "register 2FA now" under the 2FA Registration Section. Please refer to the guideline for details.

You are required to logon your school mail system to get your QR code for importing the second authentication factor.

Ans: When you switch to a new mobile, you can simply re-scan the QR code that you have previously received to set up the one-time password on your new mobile. If you need us to resend the QR code, click “Resend QR code (for registered only)”. Bring up your old mobile to pass the two factor authentication and then email with your QR code will be sent to you immediately.

Ans: Yes, you can. There is no restriction to setup one-time password on multiple mobile devices.

Ans: If you have lost your mobile, you have to report to Help Desk first and will delete your previous registration. Then you can regenerate a new QR code by clicking “Register 2FA” for your new mobile.

Ans: You are required to modify the path: vpn.edb.gov.hk/2fa and enable the web logon on the app circled in red. Please refer to the installation guideline for details.

https://intranetsup.edb.gov.hk/irooms/help/VPN_mobile.pdf

29. Are there any privacy concerns to install the Microsoft Authenticator on a mobile?

Ans: Microsoft Authenticator is a two-factor authentication program installed on your mobile. It solely helps you to secure your VPN account by using the industry standard time-based One Time Password (OTP). As a matter of fact, other apps such as Google Authenticator, etc. can also be used to serve the same purpose.

Microsoft Authenticator app collects three types of information:

• Account info that you provide when you add your account. This data can be removed by removing your account.

• Diagnostic log data that stays only in the app until you use Send feedback in the app's top menu to send logs to Microsoft. These logs can contain personal data such as email addresses, server addresses, or IP addresses. They also can contain device data such as device name and operating system version. Any personal data collected is limited to info needed to help troubleshoot app issues. You can browse these log files in the app at any time to see the info being gathered. If you send your log files, Authentication app engineers will use them only to troubleshoot customer-reported issues. If you do not send any log files, the data will not leave your device.

• Non-personally identifiable usage data, such "started add account flow/successfully added account," or "notification approved." This data is an integral part of our engineering decisions. Your usage helps the vendor to determine where they can improve the apps. You see a notification of this data collection when you use the app for the first time. It informs you that it can be turned off on the app's Settings page. You can turn this setting on or off at any time.

Please refer to the following link for further details:

Questions & answers about Microsoft Authenticator app - Azure AD | Microsoft Docs

30. Is there any option other than installing the authenticator app on a mobile device?

Ans: As an alternative, you can install a Chrome browser extension by following the user guide. However, it is most common to use a mobile phone with an Authenticator App for 2-factor authentication because it is more convenient and easier to use.

https://intranetsup.edb.gov.hk/irooms/help/User_Guideline_for_Authenticator_as_Browser_extension.pdf

Ans: The Authenticator Chrome extension does not require any extra permissions. It does not have the capability to access other files on the computer. It only generates a 6-digit one-time password using a standard time-based algorithm and the key in the QR code.

Ans: Sometimes, Android mobile encounter out sync of time and will causes your one-time password out of sync with the server. You are required to re-sync your system time again by going to Settings -> System & Devices -> Date and Time -> Use Network Provided Time, then toggle off and on the button.

Note: Different Android version may have a bit different way to reset your time sync.

33. Why do I keep on looping to the VPN redirection page (a page with 3 seconds count down) even I have successfullyl logon VPN?

Ans: Some workstations may fail to redirect the EDB Portal Home Page when they have installed NOD32 ESET client software. Further configuration is required to whitelist our VPN. Please follow the guideline below.

https://intranetsup.edb.gov.hk/irooms/help/ESET_Endpoint_Security_Whitelist.pdf

34. What should I do if a script error is prompted while attempting to connect VPN?

FREQUENTLY ASKED QUESTIONS

For Office Users

For Internet Users

For Chrome:

For Microsoft Edge:

For Internet Explorer

For Firefox

For Two Factor Authentication